If better privacy and anonymity sound like music to your ears, you may not need to look much further than Tor Browser. Here’s what it’s like to surf the dark web using the browser.
When I speak to people about the dark web, many are still very wary of it and often think that it is illegal to even download a browser for the dark web, let alone actually access the normally hidden part of the world wide web.
But of course, it is not. Before we dive deeper, though, let’s look at where you can get that thing that’s often called a ‘dark web browser’.
What: Tor Browser (If you use iOS, consider Onion Browser)
Where: Tor Project website
Time required: 2 minutes
Cost: Zero. (You can thank me later.)
Ingredients: A Mac, PC, Linux, Android or iOS device and a browser of your choice
Method: Download Tor Browser (or Onion Browser on iOS). Start browsing.
Not only is there nothing illegal about downloading Tor Browser to roam around the dark web, you can actually use it to access the part of the web you’re already keenly familiar with: the ‘indexed’, also known as ‘clear’ or ‘surface’ web. Tor Browser works like a regular web browser, except that it connects to the Tor anonymity network, which wraps your traffic in multiple layers of encryption while routing it via random relays (hence the name, ‘Tor Onion Router’) until it reaches the intended destination.
Wherever your browsing takes you, Tor provides some assurance that you’re not being tracked by your Internet Service Provider (ISP), government or advertisers and that you also remain anonymous to the websites and services you visit. [It’s not a magic bullet, however, and there are various scenarios where the browser can’t protect you, especially from yourself.]
Since Tor Browser is generally thought of as the gateway to the dark web, let’s use it for a short trip to the dark recesses of the web.
The dark web can sound like a very scary place, but often it’s people’s fear of the unknown that is greater than their fear of this part of the web. It is used in manifold ways, but truth be told, it is often used for illicit purposes, such as buying and selling drugs, guns, and other contraband.
For those of you who have a fascination with it but are still too afraid to delve in, I have decided to take a trip around the dark web and record my findings, so you don’t have to.
At first glance, Tor Browser isn’t much different from other browsers. It is still application software used to access the world wide web, and Tor Browser even opens on a search engine enabling you to visit any open-web URL. However, you can also visit dark web URLs on domains with a “.onion” suffix that are not available from the likes of Safari, Firefox and Chrome (out of the box, anyway).
Tor Browser uses the DuckDuckGo search engine by default, which is a privacy-focused competitor to Google Search that doesn’t collect or share your search history. The quality of search results returned by DuckDuckGo has been improving steadily, and the search engine is slowly starting to look like a genuine rival to Google Search as more and more people are becoming more privacy aware and, indeed, wary of the internet becoming a web of advertising trackers monitoring our every move.
Also, DuckDuckGo and others are less likely to have many advertisements – possibly due to the fact they are not able to profile you and your interests so easily (and so the search delivers are not personalized). Privacy is the main selling point for DuckDuckGo. This Google search alternative doesn’t track your search history, the time or location of your search, or your Internet address … which are vital to Google and its business model.
Scouring the eBays of the underworld
After searching for underground forums and shopping sites, it wasn’t long before I located a few illicit sites offering drugs in exchange for bitcoin and other cryptocurrencies. I was able to read the reviews, there were offers of online chats to discuss the details, all with the knowledge that all of this would be confidential and relatively untraceable. This makes the dark web extremely attractive to wannabe and career criminals looking to take advantage of its powerful anonymity.
I decided to delve even deeper into this underworld at my fingertips and search for other illegal products. I soon found sites offering me fake bank notes of any currency, fake IDs, PayPal accounts, credit card “fulz” (full card details with corresponding CVV numbers), hacking-as-a-service operations, and even weapons with unregistered bullets. It was scarily quick and effortless to get this far and in some cases with surprisingly good customer service.
Some sites even held their reputation on this customer service and, to achieve better service ratings from buyers, went so far as to offer a phone number to help with any problems. This all helps with their future presence on the sites, which in turn can push up their prices showing potential buyers their effective “legitimacy”. I did, however, question the authenticity of each site but the more I investigated them, the more I realized it would possibly be more work to create fake sites than have the genuine artifacts.
I even came across a chilling hitman service site selling all sorts of deadly dealings. That said, I soon started to wonder if in fact it was a hoax page, not just because there are quite a few hitman sites with cloned information and all looking identical.
Guns, drugs and… data?
Although guns and drugs were being sold, it was the ease with which people’s data was being thrown around, including people’s passwords, that made me stop and think. I clicked on one database on show, which opened up millions and millions of lines of data showing email address and passwords.
I was easily able to search for the word “password” to show the thousands of accounts where people were still using this in, or as part of, their password.
Note: I fully checked with my former colleagues in the UK police digital that what I was doing was legal and they said: “There is no issue with you identifying stolen data on the dark web and using it as you suggest – offences will only be committed under the [UK] Computer Misuse Act in regard to what your intentions are to do with the data that you retrieve.”
With countless account credentials up for grabs on cybercrime forums, the owners of such online accounts are clearly at risk of damaging hacks. And the risk is looming large not ‘just’ for the accounts that are listed in such databases of stolen logins. With many people simply recycling their passwords across various online services, criminals can hack into any other account that is only ‘secured’ by that same password. This is obviously a problem particularly if any of those accounts contains highly sensitive details such as credit card information. Stolen or compromised login credentials are an important attack vector behind data breaches and can lead to the theft of sensitive corporate information.
Not only is it vital to change a password that has been stolen, but it is imperative to enable two-factor authentication (2FA) on all accounts that offer it. Criminals steal data and it will never be deleted from the dark web, so it is important to secure it, and invalidate what is known to have already been leaked, where possible. It is highly likely that leaked data will keep circulating forever so you need to be in control of whatever you can, such as by using a password manager and handing out only limited personal information to sites. There are also sites, such as Have I Been Pwned (HIBP), that allow you to check if your email addresses or passwords have appeared in a known data breach.
Tor Browser opens access to the curious world and holds many uses for people who enjoy the freedom of the world wide web without being monitored or tracked. It also opens the door to the true dark side of the dark web, which can be a dangerous place where cybercriminals hide, and it will likely be around for as long as the internet is with us.
The police, meanwhile, have clear frustrations with the dark web and they are up against a difficult fight with criminals and the courts alike. Limited evidence means fewer crooks are put away with more anonymity tools at their disposal. Even more problems are now being seen where cybercriminals are using Telegram and other messaging and social media apps, instead of the dark web, to sell contraband. If you’re interested in these issues, you may want to take a look at my piece about how the dark web is spilling onto social media.
BEFORE YOU GO: 5 ways hackers steal passwords (and how to stop them)
by Jake Moore, ESET